Description: Cross-site request forgery in Magento Connect Manager allows an attacker to execute actions such as the installation of a remote module that leads to the execution of remote code. The attack requires a Magento store administrator, while logged in to Magento Connect Manager, to click a link that was prepared by the attacker.

Cross-Site Scripting in Wishlist – APPSEC-1012

Type: Cross-site Scripting (Other)

CVSSv3 Severity: 5.3 (Medium)

Known Attacks: None

Description: This vulnerability makes it possible to include an unescaped customer name when Wishlist are sent. By manipulating the customer name, an attacker can use the store to send spoofing or phishing emails.

Store Path Disclosure – APPSEC-847

Type: Information Leakage (Internal)

CVSSv3 Severity: 5.3 (Medium)

Known Attacks: None

Description: Directly accessing the URL of files that are related to Magento Connect produces an exception that includes the server path. The exception is generated regardless of the configuration settings that control the display of exceptions. There is a low risk of attackers gaining a sufficient understanding of the site structure to target an attack.

Permissions on Log Files Too Broad – APPSEC-802

Type: Information Leakage (Internal)

CVSSv3 Severity: 3.8 (Low)

Known Attacks: None

Description: Log files are created with permission settings that are too broad, that allows them to be read or altered by another user on the same server. The risk of an internal information leak is low.

Cross-Site Scripting in Orders RSS – APPSEC-1012

Type: Cross-site Scripting (Stored)

CVSSv3 Severity: 5.3 (Medium)

Known Attacks: None

Description: The vulnerability allows an attacker to include an unescaped customer name in the New Orders RSS feed. By manipulating the customer name, an attacker can inject incorrect or malicious data into the feed, and expose the store to risk.